Archive

I realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.

I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.

If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. Really, for a lot of folks, I think cons have become a few things:

A way to escape reality. Very few con talks touch on the mundane bullshit that we’re sucking at. They discuss pie-in-the-sky scenarios that involve vendors, “researchers”, and stuff that we can ogle at.

A stand-in for a social life. I have a lot of friends in infosec. I’ve got plenty that aren’t too. I can get shitfaced anytime – I don’t need to wait for a con. Seeing your infosec friends is cool. Going to more and more cons to see those people…well, that’s up to you. But maybe you could get together OUTSIDE a con for once? That’s what real friends do. Plan a trip somewhere that does not involve security. Shocking.

A place where people who don’t actually DO shit for a living can expound on their amazing security philosophy, telling those of us that DO do shit for a living how it’s all shaping up. Please. I know what the hell is going on in security, I live it every day. With a lot of clients. Doing real work.

An egomaniac stomping ground. If you continually got your ass beat in high school, sunlight sets you aflame instantly, and you have deep-seated challenges interacting socially, you can still be a rock god by breaking something and giving a talk on it. This is getting ridiculous. I love smart people, too, but I’m kind of over the “celebrity researcher”. I like people when they’re cool people, not just because they have some amazing “use after free” flaw they presented on.

A “scene whore”…well, scene. It’s COOL to be in infosec, apparently. You can almost predict the tweets when a con starts:
<scene_whore>Arrived! Where’s everyone at? #ConHashtag
…10 min later…
<scene_whore>I’m in the bar at the <con_hotel>! <Picture of alcoholic beverage> #ConHashtag
…20 min later…
<scene_whore>What’s going on? where is everyone? #ConHashtag
Most people are just folks. But being at a security con does not even come close to making you a real infosec professional. Knowing a bunch of people on Twitter doesn’t either. Drinking with people in bars may make you new friends, but still doesn’t mean you can accomplish shit as a security professional. There are even some people I see on Twitter who seem to attend every security conference on the fucking planet. What the hell is your JOB? Does someone pay you to go to cons? It’s SAD…NOT endearing.

This is a rant. I know this. But really, folks, cons are not doing shit for us, aside from giving us some fun times and maybe a handful of interesting talks here and there. If you really get value out of tons of cons, awesome. I would never tell anyone how to live their lives, or what to do with their time. But we are not FIXING ANYTHING. We still have Adobe and Java problems. We still suck at intrusion detection. We still suck at incident response. People are still clicking shit. We don’t know what we don’t know. Pretty much every con I see today won’t even begin to help with any of that. If you’re a pen tester? Sure, you’ll get some new tools, new techniques. But only about 5% of security folks are ACTUAL PENTESTERS. Lots of people like to fake it. But 95% of you are defense folks. Which is probably just fine. So do defense. Get better at fixing stuff. Focus on the boring, the mundane, but incredibly important crap like inventory management, patch management, configuration management, blocking and tackling at the network layer, security awareness, etc. I see almost no talks at cons on “solving this one problem in 10 different ways”. Almost none of you need to worry about hacking an ATM or a car. You DO need to get your backyard cleaned up. It’d be nice to see a conference with the following parameters:

The theme of “we’re failing” is 100% forbidden. No talks accepted, no slides with that, if you say it in your talk you are forced to listen to Barry Manilow albums the rest of the con.

All talks tell us how to fix something. That’s it. And REAL somethings, not some arcane crap that is only a reality for .00000004% of the world.

Absolutely no slides that include references to the Verizon Data Breach report. Verboten.

Every single attendee must write a blog post chronicling at least 5 things they learned. Tactical, “fix shit” things they learned.

No selfies. NONE.

People can only use their real names. Be a human being, and we’ll hang out. I have a real hard time here in 2014 referring to someone as only a “handle”. Call me “Dave” or “Shack” and we’re good. Let’s actually be real professionals. Crazy, right? Imagine if people at law or medical conferences referred to themselves as “D@rk Malpractice L0rd” or “SurgeonZer0”. Please. We’re not in chat rooms, people. And even if we were…that shit is OLD.

It probably won’t happen. There are still some really good efforts and conferences out there – I’m not disparaging the enormous efforts of those who run them. But I think we’re starting to look silly. Security is just a shit show, and we throw booze fests in the name of “research” constantly. Yay us.

In the last few days, there have been a flurry of stories about this supposedly sexist scenario at PyCon called Donglegate. Two dudes told some stupid dick jokes (referring to them as ‘dongles’) in the audience, a prominent female speaker heard them behind her, and she opted to make a big deal about it. Such a big deal, in fact, that they got fired from their jobs. I’m going to pull the “What the F***” card on this one. Lady – find somewhere else to make your soapbox stand, would you? This industry has REAL issues with sexism, but stupid dick jokes aren’t the problem, especially when they were obviously meant to be private conversation and not directed at anyone with malicious intent. Sheesh.

There’s been a lot of drama in the IT, and specifically the security, industries in the last few years. I think we’re experiencing a sort of cognitive dissonance, really. We keep being told that we need to be more professional and businesslike, so we are trying VERY hard to fit this ideal as an industry. I’ve come around on this thing, though. I am a product of a subculture, and I like that subculture. I like nose rings, tattoos, colored hair, stupid black T-shirts with juvenile and snarky slogans, and the idea that we still might be the smartest people in the room. And I don’t want to change ALL of it to fit an ideal someone else is creating for me.

I clean up well. I can wear business clothes and hang out in corporate environments with clients all day, and so do many of you. But I’m still the same tattooed geek who has been breaking shit since the 70’s. A lot of this drama, I think, is us feeling like we need to behave in a certain way to attain credibility…for SOME reason. We should stop this. I never want to hear this dumbass “getting a seat at the business table” crap anymore. If that is your goal in life, play the corporate politics and let the geeks do our thing. But do NOT deliberately create strife for others who are being nerds in their own culture, with their own peeps, and hurting no one in the process. If a crime is committed, do something. If someone offended you? FFS, get over yourself and adjust, or find your own damn subculture where you don’t need thick skin to hang with the people in the black T-shirts. Because we’ll be telling dick jokes. Awkwardly, granted, but…that’s us.

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion. Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec. As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge. But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately. You may argue that theory and research and risk and <blah blah blah> has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

Studying for a test

Taking and passing a long, obnoxious test

Doing WORK for 3-4 years (wow, welcome to a CAREER)

Having a college degree (in some cases)

Acquiring <puke> CPE credits for random bullshit-able things

Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…OK. But don’t strut around and act as though this really means you have something unique or special…you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on. That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out. We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill. We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

We have sacred cows in infosec, apparently. I read a blog post by Dave Aitel about security awareness yesterday that I really enjoyed – he took a very bold stance on a topic that everyone seems to have an opinion about. His argument? Security awareness is useless. Ditch it, and spend your time and money on technologies and techniques that actually control what users can do and what can happen to them.

Is he exactly right? No, probably not. But he took a stance, and got some thought-provoking dialogue going. What was incredibly disconcerting to me, however, was the vitriol people started spewing in the comments – how DARE he propose such a thing?! I tried commenting on the post but I think CSO flagged it and didn’t let me, and I was probably being a bit acidic in my comment, as well, but for different reasons. So a few things shook out, in essence here’s what I was trying to say:

People, don’t be LEMMINGS. I saw a lot of people who were puffing out their chests as “leaders” in the infosec space spewing garbage about “people, process, technology” like they were attached to Shon Harris’ rear-end after having a love fest with her CISSP study guide. C’mon, just because it’s one of the “10 domains” doesn’t mean you have to evangelize.

Most security awareness programs SUCK. I would be willing to bet the majority of the awareness proselytizers on the thread are doing the same old crap with some stupid Web-based Flash thingie that people click through as fast as they can, and a little printout goes in their HR folder of whatever. UGH. That doesn’t work, never has, and never will.

Given that most programs suck, what is wrong with a contrarian view? Start a conversation on new methods of security awareness and protection, but don’t demonize Dave (who has likely seen more overall than most posters) for having the balls to suggest that something BLATANTLY NOT WORKING for most should be canned.

I generally think security awareness is ridiculous. Sure, sure, you need that compliance checkbox that asks for it. And OK, you have to TRY, I get that, too. But sometimes, we seem to cling desperately to ancient ideals and practices in this field that just might have run their course. I’m not ready to say security awareness is one of them….yet. But we can and should try to improve it, across the board, or find something else to do instead.

Earlier this month in NYC, my friend Marcus Ranum and I were having dinner and drinks after a day at the IANS forum. Marcus, in a lighthearted mood, posed the following question to me:

A fight breaks out between giant robots, pirates, and ninjas. Who wins?

We had a fun and spirited debate about this, and laughed at the sheer ridiculousness of the question itself – a pointless conversation, but fun, to be sure. The problem is, we’re having a lot of the same kinds of conversations in infosec right now.

Recently, my friend Josh Corman posted an article on CSO Magazine’s site entitled “The rise of the chaotic actor: Understanding Anonymous and ourselves”. As I would expect (coming from Josh), it is interesting, well-written, and insightful. It’s also totally, completely unimportant. Let me say that another way: IT’S A WASTE OF %*&^$ TIME. Now, lest you get the impression that I am bashing Josh, please know that I am not. I count him as a friend, he’s incredibly smart and talented. In fact, his Rugged Software project is one of the best, and likely most important, efforts underway in the infosec industry right now, and needs all the support it can get. But this? Drivel. And no, it’s not the content that chaps me. Not at all. Although, I must say, the use of D&D references crosses even MY boundary of geekiness acceptance.

Nope, not the content. What, then? The thing that pisses me off about this, and lit a fire under my ass yesterday, is that Josh, and CSO Magazine, put this out there with the disclaimer that this was “important”. Folks, it is not. It’s not because this kind of input is the equivalent of my conversation with Marcus – a watercooler discussion point, an anecdote, a thing to have a short chat and discuss casually – NOT something that will really change the fact of what we are dealing with. And what we are dealing with is the same problem we’ve had for a while now, in my opinion – too much blah blah blah, not enough elbow grease security.

I don’t blog a whole lot. I spend my time in a breakdown that consists of about 30% teaching people to fix shit (sometimes by breaking it first), 60% actually fixing shit (or breaking it first), and 10% speaking about these things. That is 10% of my time spent proselytizing or (hopefully) educating in some way, usually on a technical subject. What I see a lot of out there is people wasting their cycles debating shit that DOES NOT HELP ACTUALLY SECURE ANYTHING. This is not a good trend, folks. We need more do-ers, people who can put hands to keyboard and actually get some security done.

Josh and I had a spirited debate about this on Twitter. He reminded me of the Plan-Do-Check-Act cycle, and said we need to Plan before we Do. He’s right, of course. I’m not insinuating that. But this is not planning. This is mental masturbation. And too much planning, with too little doing, leads to “analysis paralysis” and that is a death-knell for your security program. I’d rather see a CISO who’s a former drill sergeant than one who is an endless pontificator of “what could be”. My friends Alex Hutton and Mike Dahn made small points that are valid – Alex reminded me that not all work is purely hands-on technically, as he and his team at Verizon compile metrics and risk data that all of us rely on. Totally valid, and that IS important. Mike nudged me and said that theory and practice must go together like PB and J (great analogy), and certainly there’s some truth to that as well. But if you are ALL theory, or spend too much time there, you don’t get around to the doing. And there’s a lot that needs doing. Check this stat from Alex and team’s latest Verizon Data Breach report:

Wow. If we spent just 10% of the time we waste on mental masturbation like “what do they want? who are they? are they nice people” kinds of crap on ACTUALLY hardening boxes, screening and pruning ACLs and FW rules, tuning IDS, performing sound vulnerability management practices, and actually fixing our code, we’d be in hella better shape. Are these conversations fun? Sure. Do we need to really rethink our focus? Maybe. I personally do not care if Anonymous is a secret league of 1337 grandmothers from Poland, or whether they want to hack me for vengeance, political motivation, or just plain old theft. Nope. Don’t care. I just know I have adversaries, and I need to protect my sensitive data. That’s what I care about, and that’s what you should care about too.

A few months ago I posted a post-RSA note on “Change we can Believe in”. I had grown tired of all the whining in this industry about how we “need change”. Well, here’s a change for ya: Stop wasting your time on crap like this that is not impactful unless you are a state agency. Most of us just need to hunker down and fix some things.

Post-RSA, I’ve seen a lot of commentary about how people were disappointed that the conference didn’t reveal more “change” on the part of the security industry. The reasons for this vary – too many Guido-esque sales douches, booth babes with pink hair (!?), the NSA using booth babes (spelled: desperate), overuse of the words “cloud” and “GRC” and “cyber” and….well, the list goes on. All of these are valid observations. And hearing all this noise has brought me back around to a thought I’ve had in the last few months about the nature of the “security community” in general.

I think some people in this industry have forgotten that first and foremost, it’s a JOB. That’s right, as in profession, earning a paycheck, whatever you want to call it. For whatever reason, a good number of people seem to have elevated information security beyond this (in their minds) to a CALLING. Let me be the one to call bullshit. Please. There is absolutely nothing wrong with having passion about what you do for a living. I fall into this camp – I genuinely love security, for the technical challenges, the people challenges, the unwashed (literally, too often) masses at the conferences, and the social camaraderie in many cases, too. But too many are constantly expressing outrage at how we’re not changing. Changing what, exactly?

Should there be more of a focus on application security vs network security? Probably. A good post to get you thinking about this (loosely, granted) can be found on Gunnar Peterson’s blog. Within our industry, that’s something we can rail about. And we do. But this serves as a perfect example of two fundamental truths that seem to be absent in most of the “we need change” conversations. Here they are, with my thoughts:

Security (especially at RSA) is a business. We have been talking for the last few years about “integrating with the business” in our organizations. I don’t care what business you’re in, the first rule of business is making money. And that’s exactly what the vendors are trying to do – make money. So they don’t really give a shit about what the echo chamber thinks – they use “cloud” and “GRC” and all the other buzzwords because they work. People buy stuff. Are they buying the *wrong* stuff? As a corollary, are we trying to solve the *wrong* problems (i.e. network vs app security, etc)? Maybe. But the vendors will go where the money is, and they’ll market their way to profits. If it upsets you, then you’re not really in line with “business” at all. Sorry.

We, as an industry, have absolutely zero control of what our adversaries do. That means that our innovation cycles will always be behind the threats and attacks, and it’s something we need to adjust to. I know, I know, we all pay lip service to this, but the reality is this – the criminals are BANKING right now. So their motivation is really a lot higher than ours in many ways – they want to make huge money, and they don’t want to get caught. We, on the other hand, are trying to prevent data loss/theft and “protect” ourselves and our organizations. It’s a noble effort, true, but will never have the same urgency as someone trying to illegally make millions of dollars quickly.

So what kind of “change” will get us ahead of the threats? That’s really the point of #2 – how do we “change” to get there? I’m not a pessimist by nature, but right now I think this is the wrong thing to be focusing on. I think the RIGHT changes to make are absolutely mental in nature, as Mike Rothman so aptly tweeted to me. Two things we can do:

Focus on doing the best JOB we can. Get off the “holy crusade” tip and go out and secure something. I’ve railed about this for a long time, but we’re all too fascinated by “breakers” vs “builders”, or at least “defenders”. If 99% of the security “community” spent their time fanatically focused on hardening their OS and apps, tuning IDS and other systems (behavioral and otherwise), implementing whitelisting with/instead of AV alone, etc. INSTEAD of worshipping the pen testers and exploit finders, we’d be better off. Let those folks do their thing. But the most good most people can do is by focusing on being the best defenders they can be. This is the mental change we need – do most lawyers, doctors, accountants, engineers, etc treat their jobs as a self-righteous soapbox all the time? No. And many of them are GREAT at their jobs. Less soapbox, more lockdown.

At B-Sides SFO, a few of us were having a conversation about how we could really make a difference to the realm of security. And Josh Corman suggested going outside our own “community” to talk to developers and others. This is probably the best idea out there – they call it the “echo chamber” for a reason…we all talk to EACH OTHER about the problems. We need to go to the developer conferences and local group meetings, the VMware meetings, the SysAdmin meetings, etc. What about teaching everyone at a retirement community about using Facebook “safely”? Teaching elementary school kids about online safety? You get the point – we need to expand our reach. Go evangelize! Just do it to a group that isn’t security people.

This is likely not the only type of “change” we need. I’m certainly no prophet, and I rant in the echo chamber, too. And do pen tests, etc, as well. But it seems like all this disgust at a lack of “change” could be easily remedied by some outbound efforts into other areas, not directed at security vendors and each other.

For those of us who have been in the infosec field for a while, we see a never-ending stream of weird behaviors and situations over the years that just don’t make any sense. Despite our best efforts to be optimistic, understanding, and “business-oriented”, there are a number of “infosec mysteries” that boggle the mind and assault the senses. Forthwith, I give you…Infosec Mysteries Volume 1.

1. Why are users still clicking on random attachments? Especially if the email is from someone they do not know, have never heard of, or purports to be one of their long-lost friends on Facebook?! This is undoubtedly one of the world’s greatest mysteries – how do we cure stupid? Many cars of convicted drunk drivers are equipped with alcohol sensors that detect blood alcohol level before they will properly start. Can we implement something similar for chronic offenders that hack, slash, and click their way to digital Armageddon? Is there a class of people out there that just cannot be trusted to use computers responsibly? This is similar to smoking in public for me – your exhaled smoke can have a negative effect on my health. Well, when these kinds of folks’ systems join the ranks of a bot army, it affects us, as well.

2. For all the intrusion detection systems I encounter in organizations, I estimate that 65% are used very little, even going so far as to call them “shelfware”. In addition, most staff using IDS today, that I encounter, are not properly customizing rule sets or even venturing to create their own rules, trusting the default rule sets and updates later provided by the vendor. So here’s the mystery – why the $%&! would you spend 5-6 figures (or more) on equipment that can act as cornerstones of your network monitoring capabilities and a) not get trained properly on how to use the stuff to its potential, and b) just ignore it after a period of time? I’ve seen this same phenomenon occur with other gear, but never so often as IDS.

3. So you’ve made an “investment” in antivirus. Who gives a shit? The stuff is CRAP, and it is BROKEN. The mystery – why are you not clamoring for, nay, DEMANDING, a whitelist solution? NOW!!?? With the proliferation of malware today, you are dealing with a new variant added to a “blacklist” every few seconds. Sounds really sustainable. Yep.

4. Here’s another doozie – the gradual desensitization of the public. In fact, this could be the greatest mystery on this list – how can TJ Maxx lose millions of credit card numbers, go through a scandalous public debacle, and actually see its share price go UP? The media has helped desensitize the public, unfortunately – “ho hum, another big data breach”. And we as security professionals have now come to realize that outrage is ephemeral. Ouch.

So I was, as usual, inspired by everyday events and news to relate to the infosec community. In its own way, so many of the things we encounter day-to-day have parallels in our security community…but I digress. The topic of the day is “zero tolerance” policies. I recently read an article about a nice young man named Zachary Christie. He’s a good student, learning karate, and a Cub Scout. He’s also a criminal. Well, at least in the eyes of his school system. Why? He had the AUDACITY to bring a fork/spoon/knife camping utensil to school to use at lunch and show his classmates. Zachary, incidentally, is 6 years old. SIX.

I could understand a gentle reprimand. The ol’ “We have a policy here” talk. But Zachary didn’t get that. Nope, this hardcore 6-year old got suspended for 45 days! With the last week in solitary confinement for shanking a fellow inma…errrr, student! OK, I’m kidding about the last part. But the point should be clear – 45 days for this offense is actually punishing the student (very excessively), the parents (who will have to accommodate him with work schedules), and any rational, thinking person in the USA. That’s right, we’re all being punished because this makes us realize just how stupid we can be. And that hurts.

So. What about infosec? Well, we infosec people are policy creators and enforcers. Influencers, too, in many cases, but that’s less relevant here. I’ve had some really interesting conversations in the past with SANS students and Advisory Board members on this same topic. Some are all for draconian policies. Yaaar, matey, walk the plank! Others take a less heavy-handed approach. Which is right? Well, in my opinion (and we all know what THAT means), there are a few policy areas where we must be 100% black and white:

Intentional hacking or circumvention of access controls to do…anything.

Espionage.

That’s it. Yep, really. Supporting evidence plays a big role in most (if not all) of these, so even these may not be completely cut and dry. Generally, though, it’s a safe bet to have clear violation rules in place for any of these. What about others, though? What about all those myriad policies that we have painstakingly written that everyone in the organization hates? Some make sense, sure, but there’s probably some that should be visited on a per-case basis. Many people in many organizations hate security people. Some of you will say “so what?”. I say – you’re losing the game. People WILL get around you one way or another, and if they hate you they will try 10 times as hard. I’m not advocating being wishy-washy, and there are plenty of reasons (governance, compliance, industry standards, etc) why certain policies should have less “wiggle room” than others. But if we always approach policy with a “my way or the highway” attitude, we are going to isolate ourselves even more in infosec, and that’s a tragedy. Just something to think about. </rant>

So this will be hard to swallow for some. Particularly those who idolize folks like Charlie Miller, Dino Dai Zovi, and Alex Sotirov. Or whoever you know that found some amazing hack and paraded it around to win themselves a few minutes of supergeek fame.

Business 101: You can’t forcibly create a market where there isn’t one. It doesn’t work, it never has, it never will. So for those “vulnerability researchers” who are complaining how they are getting the shaft from software vendors who won’t pay them for their software, I hate to break it to you, but you’re shit out of luck, methinks. I think you inevitably have one of three options:

Keep finding bugs because you love finding bugs. Get your little minute of fame, and maybe your new MacBook or whatever, and STFU.

Sell your bugs to WasiSabiLabi or iDefense or some other marketplace. Maybe even an underground marketplace if your ethics are questionable.

Stop doing it. Get out. Find a new hobby. Get some sun, maybe – slowly, though, that pasty skin will burn if you’re not careful!

“Vendors have been getting a freebie for a while,” Dai Zovi said. “[But] why would I want to sit down and volunteer to find a bug in someone’s browser when it’s a nice, sunny day outside?”

Well, great question! Just DON’T! Seriously, are we all supposed to have some sympathy for folks who volunteer their time to find software bugs? Another dose of reality: all software has flaws. I can live with this. It’s just a part of business. So stop trying to make it seem like it’s these terrible, sloppy vendors who code so badly that SuperSecurityCoderMan has to come in behind them to show them all how bad things really are! Geez. Just SO SICK of this. I respect your skills, bro, but either help the community, take your 15 minutes and move on, or just stop with it already.

The other argument I hear is that “if I didn’t find this bug, some evil h@X0r would”. OK, let it happen. Seriously. If it happens, it happens, we can’t avoid the inevitable forever. But lose the martyr act. I, for one, am over it.

A guy I used to work for in the infosec field (of course) was always telling me that “perception is reality”. In his eyes, you could win the political game within our company by simply putting up a good front. Even if we were totally screwed up within the infosec group, or didn’t know what was going on with a project, or didn’t have a plan, we could create the illusion of competence by proactively bombarding people with information, acting a little smug and pompous, and berating other people for not caring about security (dammit!)

Was this a sound strategy? No, this guy was generally a boob and I worked for him only a short time. However, it really did get me thinking about a few ways to interpret this in the infosec space.

Just because someone talks a good game does not mean they know what the f*** they are talking about. Frankly, I personally believe that a number of the people floating around in the “blogosphere” who are billing themselves as “security experts” should STFU. However, many people seem to feel that “they blog, therefore they have kung fu”. Perception, at least for the unwashed masses, is reality. Because you’ll never KNOW whether that cool blog guy actually has kung fu or not. And he knows it.

A more global one this time. Do you think that most consumers inherently believe that their data is safe with companies who have it? Or the opposite? I think most people just sort of trust that their data is safe. And then when there’s a data breach, the company apologizes, and we all think “oh, well, they’ll just get BACK to being secure and all will be well.” Hmmmm.

Let’s focus on #2 (#1 was pure rant). I had the pleasure of meeting and speaking with Michael Santarcangelo of Security Catalyst about two weeks ago. He and I had lots in common, and hit it off well. One major point we agree upon was the total lack of outrage (in other words, the general complacency) of the populace WRT data breaches and data security overall. TJX loses 90 million people’s data, and people are still shopping there with no issues at all. Did they actually lose any customers? What about all the other breaches? Does anyone really care? Who really feels the pain? Who assumes the liability here?

OK, OK, I know this is sounding like a rant here, too, but really it’s just a question of whether people’s skewed perception of data security (it’s not that big a deal) in essence leads to the reality that it ISN’T that big a deal. This runs counter to all the ranting we do as security people, and of course no one will ADMIT that losing data might not really have long-term impacts at the moment. I’m certainly not saying we should give up the fight. And this doesn’t apply to data like sensitive intellectual property, health data, etc. Mostly payment card data, which can almost be considered ephemeral in some senses. But I ask – does perception equal reality in this case? Why or why not?